Monthly Archives: February 2005

You are browsing the site archives by month.

Exchange blogs anyone?

Exchange MVP blogs:





Microsoft Exchange blogs:


I think I had a bit too much Mountain Dew too late in the evening or something….

I had this bizarre dream this morning.  You know that morning dream you get when you go back to sleep for a bit..the one in which you dream really really bizarre stuff?


I had this dream that in order to promote LUA and least privilege user mode and all that … Bill Gates was Grand Marshall of the Pasadena Tournament of Roses Parade.


Now exactly HOW being grand marshall would promote running as restricted user … I have no idea… but that was my crazy dream this morning.


Now given that the Grand Marshall tends to set a theme for the floats…and the theme was LUA and least privilege… I have no idea how the flower covered floats would look.  I didn’t dream that far into the details and just woke up going…. okay how exactly did that idea get into my head?


Okay… I really need a life   :-)

The balance

Oh my gawd…the enemies are out there….oh no…they are in here…. The Security mentor brings up something along the lines of my password issue….. it’s an issue I call “the balance”.  Every day, each one of us take our expertise and talent and try to balance the forces of needing to do our jobs, needing to secure the information we are caretakers for.  The most secure information is locked up away never shared.  But….you see…. the best solution to our problem might be to share that information.


So every day we connect and communicate and open the holes and go through the firewall and pass the syn acks and all that. 


And every day we balance the access with the abilities it brings.  Push your end users too much security restrictions and you restrict interaction and stifle creativity and business.  Enable freedom too much and you have insecurity all over the place. 


There’s a balance…and that balance costs. 


One of the ways to help set the line, to help determine the right costs for that balance is analyzing and putting mental boundaries around data.  Even if your computer systems don’t categorize data in a “high risk“, medium or low risk, you should.  What is the data that should never ever be let out the castle gates?  Make sure everyone in the office knows to treat that data as carefully as possible. 


When it comes right down to it a lot of this really comes down to the ‘people’ part of the equation.  Make compliance with ‘doing the right thing’ too hard and people will find ways around it.  Make the choices easier to do, and people don’t mind ‘doing the right thing’.


Sometimes the worst enemy of all…. is you.

The ugly truth about Passwords

For all my talk about security I’m going to bare my soul to you all.  I do something very very dumb.


I do a very stupid thing.  One that my fellow Security gurus beat me up over [and rightfully so].


Like Gavin, there are times I need to log into “THE PROFILE”.  Not the admin profile, not a generic profile, but THE profile of the person that will be logging into that system come Monday morning.  So I need their password.  Yup, not too smart is that?


So either I have to do what my Security Guru’s do, like Gavin, force people into changing password every time I need to manually install something or ensure that an server deployment went as it should, or I have to figure out some other way of installing updates on a weekly basis, ensuring that the desktop experience is “perfect” and not jeopardize accountability in the process.  I’m still personally struggling with the right answer.  I mean I’m totally violating authentication here.  Yeah, I know, totally NOT smart, I’ll be the first to admit it.


Steve Friedl says this is something that is done all the time in the ‘Nix world…..and while many times if one OS has something the other OS has it too but this is one area that I’m not sure I can find a Windows equivalent.  Redhat does have the same ability to age passwords and force certain policies with addons and other built-ins.  So if you can login as an admin in Redhat [or similar 'Nix distro] and then go into the profile experience of a user on that system…..sooooo…..why can’t we do that in Windows?  I’m the Administrator of my network …. so why can’t I get into the profile of that user without jeopardizing accountability in my network?


The real problem that “I” have, is exactly what Dr. Jesper Johansson says:


“The best practice is not to make the same person responsible for both security and system administration. “


And that’s exactly the problem I have.  I’m both.  I’m trying to make the desktop experience ‘automagically’ for my users, and at the same time, trying to keep us secure.


So I know that the folks that do consulting normally do force the user to change the password like Gavin does.  What do you do in a similar situation?


Me, I’m hoping some folks north of me will listen up and maybe in that OS that I’m tired of hearing about [pssss.... goes by the name of that cow with big horns that I'm tired of hearing about so I won't even say it's name], will do something about my problem.  Either that or maybe I need a upgrade in policies myself.


I think I’ll probably end up upgrading myself to the next paranoid version.  :-)

Trend Engine Update

 To manually update TREND:

Otherwise on March 3rd it will get the necessary update.  [me I'm waiting]

Follow these steps to manually update your ScanMail scan engine:

1. Open your Web browser and type the following URL address:

http://www.trendmicro.com/download/engine.htm

2. Download the scan engine for your program version of ScanMail.

3. Stop the ScanMail Real-time Scanning services (Select Start >

Programs > Administrative Tools > Services > ScanMail_RealTimeScan >

Stop) and make sure that no scheduled scans are running.

4. Double-click the downloaded file and unzip it.

5. Copy all files to the …\Trend\Smex directory, which overwrites

the existing files.

6. Restart the ScanMail Real-time Scanning services (follow the

steps in number 3 above, but substitute Start for Stop).

Excerpted from ScanMail for Exchange on-line help.


Trend Vulnerability

This vulnerability exists in the ARJ archive file format parser.

The ARJ archive file format is too flexible especially in the file name 
field in the local header. This file name is stored as a null-terminated 
string and limited only by the overall size of the local header (local 
header size is stored as a 16-bit value and is limited to 2,600 bytes only).

If the file name exceeds the maximum allocated size, the VSAPI scan engine 
still copies this file name into a 512-byte buffer, overwriting the 
succeeding data structure. One of the fields in the said data structure is a 
pointer to another data stucture. The next instruction after the copying of 
the file name is an assignment instruction to a member of the structure that 
is referred to by the overwritten pointer. The said routine causes an 
illegal memory access.

Thus, it is possible to create a specially-crafted ARJ archive file that 
overwrites data after the allocated 512-byte buffer. This specially-crafted 
file could possibly execute an arbitrary code.

The ISS advisory can be seen here:http://xforce.iss.net/xforce/alerts/id/189


There are some things in life that you just “can’t” do without

We make a huge thing about making sure that we build in backups, disaster recovery, redundancy, but there’s one thing that unless you have your own true backup and redundancy, you only have about 30 minutes that separates you between all the technology at your fingertips and whipping out a Dixon Ticonderoga


 


Today at about 3:45 p.m. all of a sudden all of our battery backups on all of our workstations and servers starting madly beeping even though the power was still on.  It appeared that we were having a bit of a brown out and our battery backups were kicking in to make up the difference.  [And yes, we’d found that buying EVERY workstation a battery backup is cheaper than possibly losing a spreadsheet or project and the power goes out.  We make sure there’s even a backup battery on the phone system and the network switch so we can quickly save and shut down our workstations.  About 4 p.m. the power straightened up and we went on with our day.


Well tonight about 7:30, we’re working along and “BEEEEEEEPPPPPP” there goes the power again.  While we did have the functional battery backups, I found we needed one more thing.  Emergency power lights.  We have one in the office that turns into a flashlight, but obviously not enough.  I found myself walking down the hallway with one hand on the wall visualizing the doorways and openings to get to where the emergency flashlight was.  We shut down the server fully this time since we felt that the power truly was going to stay out for a bit this time.


Check those battery backups… yank the cord of the UPS from the wall and make sure that your workstations and servers stay up ….long enough for you to turn them off.


The moral of this story is that for all our worrying about “up time” and “true redundant servers” and “ redundant DSL connections”, sometimes what you really need most in the world is just a flashlight so you can go turn off the server and go home early for the night.

Warning on www.SBSlinks.com

 I don’t host web sites on my servers and hire others to host them for me.  But you have to the rely on their security practices to ensure all is well.  Well tonight, thanks to David Svirskis I got my own wakeup call of how bad it’s getting out there to “browse” on the Internet.  David emailed me with the warning that my little SBS web site that I use to throw up pages here and there was the site of a trojan. Java/Shinwow.Q!Jar!Trojan to be exact.


Steve Friedl, Security MVP looked at the offending file and found that it was trying to indeed hijack web browsers.


So for now if you go to my site sbslinks, the home page isn’t there as I temporarily moved it and replaced it with a temporary page.  I’ve emailed Readyhosting.com to have them clean up the site and take action.


Just kinda feels a bit weird when a web page I set up to help others, ends up being a bad guy.  Downright creepy actually.

Trend A/V Security issue

Trend Micro has a security issue that needs an engine update.  The updates are here, but I’ll check to see if they automatically come down via the autoupdate.

The glass is indeed 1/2 full, not 1/2 empty

On the blog comments today comes a passionate post that I’d just like to respond to because it points to a Microsoft partner that I came across once upon a time…the glass is 1/2 empty partner….


Scott in the blog comments rants that SBS is a “bait and switch” because it’s limited to 16 gigs of Exchange storage space under all versions of SBS and to go to the next level of 16 terabytes you have to fork out for the Exchange Enterprise version which is like $4,000.


First off, while I agree with Scott that there’s a need out here for a “mid” sized SKU for Exchange… dude, you DO realize that SBS includes Exchange “Standard” and thus even if you buy standalone products you are stuck with the 16 gig even at the Exchange standard version.


Exactly what “are” you installing for your small business clientele if you “are” a Microsoft partner.  Hopefully not 25 user peer to peer networks?


You sir, are exactly the type of Microsoft partner that I ran into when I was looking for one back in the SBS 2000 days.  “SBS is too limiting” they said.  “You’ll outgrow it”…. they said.


Guess what dude… I’m still on it. 


Yeah 16 gigs is too limiting..but blasting my blog comments isn’t going to move any mountains.  Making a calm argument that we’re doing will.


And Scott what are you a blog spammer tonight or something?  You’ve blog commented the same rant three times.  Enough.  You’ve said what you’ve had to say, and if you post one more comment I will remove it.


The glass is half full and we’re asking for a refill.


P.S. Do remember that every gig of more Exchange storage is potential for liability, legal issues, and disclosures.  It increases your business risks to be that much of a email hog.  Keep in mind that all those terrabytes are discoverable.  Sometimes forcing people to keep neat and tidy mailboxes “is” a good thing.  Just ask Enron, Arthur Andersen and Martha about email and courts…they might disagree with you on mail retention policies.

How about “more” friendly HTTP error messages?

From the mailbox today comes this tip from WayneV


While I was trying to find an answer to a web based program/IIS problem I stumbled on a checkbox worth mentioning.


I was getting the error:


The page cannot be displayed



There is a problem with the page you are trying to reach and it cannot be displayed.


—————————————————————————


Please try the following:


Open the 12.3.45.254 home page, and then look for links to the information you want.


Click the Refresh button, or try again later.


Click Search to look for information on the Internet.


You can also see a list of related sites.


HTTP 500 – Internal server error


Internet Explorer


Which tells you practically nothing.


However, if in IE, you turn off “Friendly HTTP error messages” by choosing tools – internet options – advanced. You get the real program error message and line number of the error which makes it a hell of lot easier to solve. -Sheeeesh